Firefox 60: new "not secure" indicator preferences

Mozilla Firefox 60 and newer versions of the web browser support two new browser preferences that highlight HTTP websites as "not secure" in the browser's address bar.

HTTPS is pushed throughout the Web and many sites and services migrated to HTTPS already. Browser makers like Google or Mozilla prepare to mark HTTP sites and services as not secure which will give HTTPS adoption another push as sites may lose users if they are marked as not secure.

Let's Encrypt Data

Let's Encrypt data, which uses Firefox Telemetry data to get a read on pageloads over HTTP and HTTPS, saw global HTTPS connections at about 70% yesterday and US traffic at 78.6% already.

Closing Words

HTTPS adoption will improve in 2018, and one reason for that is that browser makers will mark HTTP pages as "not secure". Webmasters who don't want their sites to show up as insecure need to migrate to HTTPS. Considering that it takes some preparation to do so, especially for sites with more than a few dozen pages, it seems like a very good idea to start the migration asap if it has not started already.

Mozilla Firefox 60 and newer versions of the web browser support two new browser preferences that highlight HTTP websites as "not secure" in the browser's address bar.

Author

Martin Brinkmann

Publisher

Ghacks Technology News

Logo

Advertisement

We need your help

Advertising revenue is falling fast across the Internet, and independently-run sites like Ghacks are hit hardest by it. The advertising model in its current form is coming to an end, and we have to find other ways to continue operating this site.

We are committed to keeping our content free and independent, which means no paywalls, no sponsored posts, no annoying ad formats or subscription fees.

If you like our content, and would like to help, please consider making a contribution:

About Martin Brinkmann

Martin Brinkmann is a journalist from Germany who founded Ghacks Technology News Back in 2005. He is passionate about all things tech and knows the Internet and computers like the back of his hand.You can follow Martin on Facebook, Twitter or Google+

Good points. Just had an audit done for one of my clients and they are being pushed so that no self signed certs are used internally. While I can sort of understand their point of view, a self signed cert on, say my VMware Appliances, or Wireless Controllers isn’t as huge of a concern to me because as you say, if the hacker is already inside we’re pretty f’d.

” they are being pushed so that no self signed certs are used internally”

That’s pretty ridiculous. When used correctly, self-signed certs (or, more properly, certs signed by a self-signed CA that you control) are better than ones signed by a third-party CA, because you can actually trust the trust chain. The only advantage to using certs signed by a third-party CA is convenience.

Yes, this is a pertinent point, and part of why this use of “secure” and “not secure” makes me a little uncomfortable. To the nontechnical user, “secure” implies “safe”, and that implication can be misleading.

I’m also reminded of the age-old truism in security: the moment you believe you are secure is the moment that you are at the greatest risk.

Ridiculous is that it’s fucking hard to get the most used CMS (wordpress) to https. Let me tell you it’s a fucking nightmare. It took me 5hrs to get every fucking page. They hard-code so much absolute urls into the serialized format, that’s impossible to do replace with a simple SQL. Also most plugins that should be able to fix that do it only partially. None of them doesn’t handle everything because it’s impossible because of the sheer number of plugins.

That makes sense. I made this change a few years back and had forgotten the details, so I peeked into one of my servers — I think the biggest factor is that because I mirror all my sites on a private server (so I can experiment with structural changes safely), I had already arranged everything to use relative URLs rather than full ones, so the sites would work under different top level domains without change.

So, in fairness, it did take a lot of work — but it’s work I’d already put in before I ever switched to HTTPS.

Well setting up nginx is a quick process. Changing the url inside a settings page is quick but that in reality does nothing. After that you have to go through every page and every widget because each of them can have some url hard coded to the http version. Not fixing this for someone might be ok, but then you get a green padlock with a triangle, because you are serving mixed content. Now imagine that you have a site in a few languages. You have to repeat this for every language. The problem with that lies in wodpress design where everything is crammed into some key value posts so the content get’s serialized so you can fit everything into those 2 columns. Unfortunately the php serialization format prefixes the string with the length. and changing http to https doens’t work via search and replace which would be a 5 minute task.

Yes, if I recall correctly last time they laid people off, they gave them a bunch of time to find new jobs and proposed different jobs within Mozilla to some of them. This is clearly more fair and respectful than your typical Rightist* fired-on-the-spot habit, with quotas on how many of them should be “dismissed for serious misconduct” because that’s a gain for the company.

I believe mosto of the people will think that this is about the status of the website security not the connection between their browser and the website server. So, I’m pretty sure that we’ll now see a lot of viruses and malware spread through all these websites that Firefox marks as “secure” and people will be more confused and will lose some trust into their browser. Besides, what’s with the expiration date of SSL certificates? How can someone put a website online and and accessible and make sure it stays that way for years?

About gHacks

Ghacks is a technology news blog that was founded in 2005 by Martin Brinkmann. It has since then become one of the most popular tech news sites on the Internet with five authors and regular contributions from freelance writers.